Selected viruses, spyware, and other threats: sorted alphabetically
Win32/Bagle.DR is an email worm. Three different components of this worm have been identified so far.
A downloader that is about 3 kB in size is probably meant to be spammed first. When executed, it downloads a file from a single URL, saves it in %system% folder using a random filename. This file is then executed. The downloaded file is a mass-mailer.
Note: %windir% denotes Windows directory (e.g. C:\WINDOWS) and %system% denotes the Windows System directory (e.g. C:\WINDOWS\SYSTEM32) as they differ on various versions of Microsoft Windows.
The size of the mass-mailing component is about 20 kB. When it is executed, it copies itself into the %system% folder as "wind2ll2.exe".
A registry entry called "erfgddfk", containing the path to the wind2ll2.exe is added in the following key:
The worm removes several registry entries related to other Win32 worms.
Inside the executable, there is a ZIP archive containing the next component of Win32/Bagle.DR. It is another small downloader that is spread further via e-mail.
Subjects of the messages sent are randomly picked from the following list:
The same list is used to choose a random filename for the ZIP archive in the attachment.
Body of the message contains one of the following lines:
The archive contains an executable with a fixed filename "123.exe". The file is about 9 kB in size. When it's executed by the user, it copies itself in %system% directory as "anti_troj.exe".
In order to be run on every system start, the program adds a registry entry called "anti_troj" containing path to the anti_troj.exe in the following keys:
An image %system%\ntimage.gif is displayed. This only happens once, as the first time the program is run it creates a registry entry HKEY_CURRENT_USER\Software\FirstRRRun\FirstRRRun
The downloader contains a list of 51 URLs that it repeatedly tries to download a file from. If it succeeds, the file is saved using a random filename in %system%\exefld. This file is then executed. It is not known what file is meant to be downloaded. It might be one of those mentioned earlier.
NOD32 was able to detect all three pieces of Win32/Bagle.DR proactively. Signatures are available since version 1.1301.
History: Analysis and Write-up by: Juraj Sarinay
© 1992-2005 Eset All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.